"Patrick M. Hausen" <[email protected]> writes: > 4. FreeBSD is - to my knowledge - not susceptible to this attack because > our sshd > is not linked to the compromised library at all.
That's not sufficient. The attack payload is a binary blob and has not been fully analyzed; it could have other effects which haven't yet been discovered. However, FreeBSD is not vulnerable because the version of xz included in FreeBSD includes neither the attack payload nor the trojaned build script which injects the payload into the library. > 5. Even if you installed a supposedly compromised xz from ports, there are > probably > no ill consequences. We don't have an xz or liblzma port. DES -- Dag-Erling Smørgrav - [email protected]
